And then we have MyMoneyBox (part of the MFSA family), which given its name should know better about security. In fact, it seems to have now gone HTTPS, so the login is now secure. But as you can see below, it wasn’t until recently:

Couchsurfing: Invalid SSL Certificate

Needless to say, it is useless to use HTTPS if it is not trusted. Fortunately, this issue has since been fixed.

Malta Police Force: Passwords In Email, Freedom of Information Link

The Malta Police Force website offers a number of services including filing a police report online. At the bottom of the declaration where you’re about to file a report, there’s a link to the Freedom of Information Act:

Unfortunately, it doesn’t work:

That error is actually coming from elsewhere on the government network (looks like it’s the Department of Information). Either the Malta Police Force need to fix their link to point elsewhere, or the DOI needs to fix a problem in their SharePoint system.

There’s something a lot worse, though. Some people have reported that when you file a police report, you choose a password, which is then sent to you via email.

This image was contributed by someone who actually filed a real police report. Aside from various spelling issues in the email, you can see that the password (obfuscated here for obvious reasons) is included.

This is something you always want to avoid because you can never assume that email is a secure channel on which to send sensitive information such as credentials or credit card information. Good practice is to let users choose their password over a secure channel (which the system reportedly already does), store it securely using a one-way hash, and provide the means to reset it using limited-time tokens in case the password is forgotten.

Rizzo Farrugia – Broken Link For New Equity

When new shares under the symbol “PG” were listed on the Malta Stock Exchange, Rizzo Farrugia were quick to add it to their own list:

However, they were not nearly as fast at creating the detail page that the listing links to:

No big deal there. It was fixed the next day.

PWC Refresh Form

PricewaterhouseCoopers has this newsletter signup form. It has a reset button. Something pretty normal, you’d think, until you see that it refreshes the entire page!

Form resetting functionality has been built into browsers since long before I started creating websites (15 years and counting). In this case, I see they wanted to reset the CAPTCHA. But they already have functionality to reset the CAPTCHA without reloading the page (the orange round arrow next to the CAPTCHA), so why reload the whole page just to reset a form?

IDPC: Line Spacing

What I’d like to call out here is the questionable design choice of using massive line spacing, which is especially noticeable in the Complaint text area since about half of the tiny box is wasted with empty space.

Summary

Transmitting credentials insecurely remains one of the most common issues on websites today, and it is completely unacceptable. Depending on the nature of the user account, this might not be as risky as transmitting credit card details insecurely (something we’ve also seen in abundance over the past few months), but that does not relieve websites from their duty as data controllers to transmit sensitive data securely.

It is also important to test websites properly in order to identify broken links and data-related issues as we have seen.

Finally, secure transmission of sensitive data does not stop at using HTTPS. SSL certificates must be integral and trusted, otherwise it is just as good as not having HTTPS. Email is not a secure channel, so don’t use it to send sensitive data, especially if there exist alternative data flows where you don’t have to.